Introduction
This reference document provides a list of generic indicators and/or risk factors associated with potential fraud and is aimed at education providers.
For ease of use, indicators and/or risk factors have been categorised into the following areas:
- personal motives for fraud
- organisational motives for fraud
- weaknesses in internal controls
- transactional indicators
- possible methods used to commit and/or conceal fraud
- record keeping/banking/other
Due to the nature of fraud, indicators/risk factors may not be exclusive to just one area.
This document is not exhaustive and is a guide only, but may be helpful for use as a checklist where concerns exists that fraudulent activity may be taking place.
Due to the diverse organisational constitution of education providers, indicators may not be relevant to all providers.
Personal motives for fraud
| Personal motives for fraud | |
| Personnel believe they receive inadequate compensation and/or rewards (such as, recognition, job security, vacations, or promotions) | |
| Expensive lifestyle (such as cars or trips) | |
| Personal problems (such as gambling, alcohol, drugs or debt) | |
| Unusually high degree of competition or peer pressure | |
| Related party transactions (business activities with personal friends, relatives or their companies) | |
| Conflicts of interest | |
| Disgruntled employee (such as being recently demoted or reprimanded) | |
| Recent failure associated with specific individual | |
| Personal animosity or professional jealousy |
Organisational motives for fraud
| Organisational motives for fraud | |
| Organisation experiencing financial difficulty | |
| Commercial arm experiencing financial difficulty | |
| Tight or under unusually tight time deadlines to achieve level of outputs | |
| Organisational governance lacks clarity, direction, or substance | |
| Organisation closely identified with, or dominated by, one individual | |
| Organisation under pressure to show results (such as budgetary matters or exam results) | |
| Organisation recently suffered disappointment/ consequences of bad decisions | |
| Organisation wants to expand its scope, obtain additional funding | |
| Funding award/contract for services up for renewal/continuation | |
| Organisation due for a site visit by auditors, Ofsted or others | |
| Organisation has for-profit component | |
| Organisation recently affected by new and/or changing conditions (such as regulatory, economic or environmental) | |
| Organisation faces pressure to use or lose funds to sustain future funding levels | |
| Record of previous failure(s) by one or more organisational areas, associated business or key personnel | |
| Sudden change in organisation practice or pattern of behaviour |
Weaknesses in internal controls
| Weaknesses in internal controls | |
| There is a general lack of transparency about how the organisation works, procedures and controls | |
| Management demonstrates lack of attention to ethical values (including a lack of communication regarding importance of integrity and ethics, lack of concern about presence of temptations and inducements to commit fraud, lack of concern regarding instances of fraud, no clear fraud response plan or investigation policy) | |
| Management fails to specify and/or require appropriate levels of qualifications, experience, or competence for employees | |
| Management displays a penchant for taking risks | |
| Lack of an appropriate organisational and governance structure with defined lines of authority and reporting responsibilities | |
| Organisation lacks policies and communication relating to individual accountability and best practices, for example related to procurement, travel and subsistence, use of alcohol, or declarations of interest. | |
| Lack of personnel policies and recruitment practices. | |
| Organisation lacks personnel performance appraisal measures or practices. | |
| Management displays lack of commitment towards the identification and management of risks relevant to the preparation of financial statements (that is, they do not consider significance of risks, likelihood of occurrence or how they should be managed). | |
| There is inadequate comparison of budgets with actual performance and costs, forecasts and prior performance. No regular reconciliation of control records and lack of proper reporting to governing body. | |
| Management of information systems is inadequate (such as, no policy on information technology security, computer use/access, verification of data accuracy, completeness or authorisation of transactions). | |
| There is insufficient physical security over facilities, assets, records, computers, data files, cash; failure to compare existing assets with related records at reasonable intervals | |
| There is inadequate or inappropriate segregation of duties regarding initiation, authorisation and recording of transactions, maintaining custody of assets and alike. | |
| Accounting systems are inadequate (that is, they have an ineffective method for identifying and recording transactions, no tracking of time periods during which transactions occur, insufficient description of transactions and to which account they should be allocated to, no easy way to know the status of funds on a timely basis, no adequate procedure to prevent duplicate payments or prevent missing payment dates.) | |
| Purchasing systems and/or procedures inadequate (such as poor or incomplete documentation to support procurement, purchase, payment or receipt of goods/services; poor internal controls for authorisation and segregation of duties) | |
| Subcontractor records and/or systems reflect inadequate internal controls | |
| There is a lack of internal, ongoing monitoring of controls which are in place and/or failure to take any corrective actions, if needed | |
| Management is unaware of or displays lack of concern regarding applicable laws and regulations, for example Companies Acts, Charities Acts, Child Protection, Funding Agreement, Contract for Services | |
| Specific problems and/or reportable conditions identified by prior audits or other means of oversight have not been corrected, such as history of problems, slow response to past findings or problems or unresolved present findings | |
| No mechanism exists to inform management, directors, trustees or and governors of possible fraud | |
| General lack of management oversight |
Transactional indicators
| Related party transactions with inadequate, inaccurate or incomplete documentation or internal controls (such as business/research activities with friends, family members or their companies) | |
| Not-for-profit entity has a for-profit counterpart with linked infrastructure (such as shared board of trustees, governors or other shared functions and personnel) | |
| Specific transactions that typically receive minimal oversight | |
| Previous audits with findings of questioned costs, evidence of non-compliance with applicable laws and or regulations, weak internal controls, a qualified audit opinion, inadequate management response to any of the above | |
| Transactions and/or accounts which are difficult to audit and/or subject to management judgement and estimates | |
| Multiple sources of funding with: inadequate, incomplete or poor tracking, failure to segregate funds and/or existence of pooled funds | |
| Unusual, complex or new transactions, particularly if occur at year end, or end of reporting period | |
| Transactions and accounts operating under time constraints | |
| Cost sharing, matching or leveraging arrangements where industry money or other donation has been put into a foundation (foundation set up to receive gifts) without adequate controls to determine if money or equipment has been spent/used and whether it has gone to allowable costs and at appropriate and accurate valuations; outside entity provided limited access to documentation | |
| Travel accounts with: inadequate, inaccurate or incomplete documentation or poor internal controls such as appropriate authorisation and review, variances between budgeted amounts and actual costs, claims in excess of actual expenses, reimbursement for personal expenses, claims for non-existent travel, and/or collecting duplicate payments | |
| Credit card accounts with inadequate, inaccurate or incomplete documentation or internal controls such as appropriate authorisation and review | |
| Accounts in which activities, transactions or events involve handling of cash or wire transfers; presence of high cash deposits maintained with banks | |
| Assets which are of a nature easily converted to cash (such as small size, high value, high marketability or lack of ownership identification) or easily diverted to personal use (such as cars, houses, equestrian centres or villas) | |
| Accounts with large or frequent shifting of budgeted costs from one cost centre to another without adequate justification | |
| Payroll (including fringe benefits) system: controls inadequate to prevent an individual being paid twice, or paid for non-delivery or non-existence; or outsourced but poor oversight of starters, leavers and payments | |
| Consultant agreements which are vague re: work, time period covered, rate of pay, product expected; lack of proof that product or service actually delivered | |
| Subcontract agreements which are vague re: work, time period covered, rate of pay, product expected, lack of proof that product or service actually delivered | |
| Sudden and/or rapid growth of newly contracted or existing education providers. For example: rapid and/or significant increase in learner numbers for newly contracted providers or providers with large cohorts of newly recruited learners in occupational areas where provider has minimal/no previous experience, concerns provider’s infrastructure/staffing is insufficient to manage increase in learners |
Methods used to commit and/or conceal fraud
| Employee indicators such as: eagerness to work unusual hours, access to/use of computers at unusual hours, reluctance to take leave/seek support, insistence on doing job alone and/or refusal of promotion or reluctance to change job | |
| Auditor/employee issues such as: refusal or reluctance to provide information/turn over documents; unreasonable explanations; annoyance/aggressive responses to at questions/requests in an attempt deter auditors; trying to control the audit process (timetables, access, scope); auditee/employee blames a mistake on a lack of experience with financial requirements or regulations governing funding; promises of cooperation followed by subsequent excuses to limit or truncate co-operation; subtle resistance; answering a question that wasn’t asked; offering more information than asked; providing wealth of information in some areas, little to none in others; explaining a problem by saying “we’ve always done it that way”, or “someone at ESFA/DfE (or elsewhere) told us to do it that way” or “Mr X said he’d take care of it”; a tendency to avoid personal responsibility (overuse of “we” and “our” rather than “I”); blaming someone else; too much forgetfulness; trying to rush the audit process; uncharacteristic willingness to settle questioned costs in an attempt to deter further investigation/analysis | |
| A general lack of transparency about how the organisation works, procedures and controls | |
| Fabricated explanations to support inability or unwillingness to evidence transactions/assets (such as stated computer failure/loss of electronic data, or stated theft of business records/assets) |
Record keeping/banking/other
| Documents: missing documents; documents are copies, not originals; documents in pencil; altered documents; false signatures/incorrect person signing/no authorisation where it would be expected | |
| Deviation from standard procedures (for example, all files but one handled a particular way; or all documents but one included in file) | |
| Excessive and/or poorly evidenced journal entries, unable to provide explanations for journal entries | |
| Transfers to or via any type of holding or suspension account | |
| Inter-fund company loans to other linked organisations | |
| Records maintained are inadequate, not updated or reconciled | |
| Use of several different banks, or frequent bank changes; use of several different bank accounts | |
| Failure to disclose unusual accounting practices or transactions | |
| Unusual accounting practices or transactions, such as: uncharacteristic willingness to settle questioned costs; non-serial-numbered transactions or out-of-sequence invoices or other documents; creation of fictitious accounts, transactions, employees, charges; writing large cheques to cash or repeatedly to a particular individual; excessive or large cash transactions; payroll checks with unusual/questionable endorsements; payees have similar names/addresses; and/or non-payroll checks written to an employee | |
| Defining delivery needs in ways that can only be met by one source/individual | |
| Continued reliance on person/entity despite poor performance | |
| Treating non-business and/or personal goods or services as business transactions in financial records (such as goods and services purchased trustees, directors and/or their family members) | |
| Misuse of directors loan account facility, for example: deliberate miscoding of transactions in directors loan account to gain personal advantage | |
| Materials goods and/or services fictitiously erroneously reported as purchased; evidence fabricated to support claim, can be used as conduit to remove funds from organisation. Potentially evidenced by: repeated purchases of same items; identical items purchased in different quantities within a short time period; invoices and statements used to evidence purchase facilitating duplicate transactions/payments; anomalies in format of purchase invoices; and/or goods/equipment not used as promised, doesn’t work, doesn’t exist | |
| Legitimate business assets put to non-business/private use |
Which of the following is not a factor that might affect the likelihood that a control deficiency could result in a misstatement in an account balance?
Which of the following is not a factor that might affect the likelihood that a control deficiency could result in a misstatement in an account balance? The financial statement amounts exposed to the deficiency.
Which of the following is least likely to be considered a risk assessment procedure in a financial statement audit?
Which of the following is least likely to be considered a risk assessment procedure in a financial statement audit? Analytical procedures.
Which of the following would be least likely to be included in an auditor's risks assessment procedures for internal controls?
Answer and Explanation: The correct option is (d). There are only four types of auditor's test of control which do not includes analytical procedures. Analytical procedures include analytical observation and reviews which is not considered as a test of controls.
What factors should auditors consider when evaluating the severity of a deficiency in a control that directly addresses a risk of material misstatement?
There are two components that must be evaluated to assess the severity of a control deficiency: the likelihood that the deficient control will not prevent or timely detect a misstatement, and the magnitude of the potential misstatement resulting from the deficiency.